Alan Calder on IT Governance, information security & ISO 27001

According to a new study of 500 IT and HR professionals, 45 percent of businesses fail to train staff in handling sensitive corporate data, and 46 percent have no plans to introduce such training. With Marks & Spencer providing the latest proof of how easily personal records can fall into the wrong hands, I can only hope that this survey is unrepresentative. At IT Governance, we stress at all times the vital importance of internal communications and training as vital weapons in safeguarding information assets. To think security can be achieved without this is self-deluding.

Symantec reports a decline in the use of Distributed Denial of Service attacks as an extortion tool. Their reasoning for the drop off is that DDoS is becoming less profitable and carry a greater risk of detection. The downside is that instead hackers are turning their attention to spamming well-followed blogs, which is far easier and therefore more lucrative. With more businesses using blogs to communicate with customers, this is a new vulnerability that businesses need to consider as part of their risk assessment. For more information click here.

Given the increasing desire of businesses to be certified to ISO27001, risk assessment has emerged as an important skill for the infosec professional. While it is well-established in other areas, risk assessment is new to many in technology and requires mastering. There are various approaches, but ISO 27001 has particular requirements and compliance and certification can only be achieved if the right method is used. We have launched two new books to help different types of professional get the information they need in this area.

‘Risk Assessment For Asset Owners’ is a pocket guide aimed at people who need a quick overview of the facts. It is ideal for senior executives, people with peripheral involvement in a risk assessment or those who need a clear and concise place to start. Over 48 pages it explains the risk assessment requirements of ISO 27001 and how the entire assessment process should be managed, from identifying assets and assessing threats to selecting appropriate risk treatments and controls. The book is the latest in our series of Practical Information Security pocket guides and is available for only £7.95 / US$15.92/ EUR11.81 from.

For people directly responsible for conducting risk assessments a more detailed account is necessary, so we have also introduced ‘Information Security Risk Management for ISO27001/ISO17799’. Over 196 pages this provides step-by-step guidance on matters such as Impact and Asset Valuation, Risk Treatment and the Selection of Controls, and The Gap Analysis and Risk Treatment Plan. It also gives advice on the use of risk assessment tools, including vsRisk [link to item above]. Priced at £39.95/US$79.98/EUR59.37 it can be obtained from IT Governance here.

We’re pedalling fast to catch up following a very busy time in the run up to and aftermath of Infosecurity Europe in London recently. This was the first time we attended and we felt that things went well. We were pleased with the number of visitors to our stand (which was smartly branded with our now-standard strapline, ‘The one-stop-shop for information security books, tools, training and consultancy’) and felt that the general quality of delegate was good.

We used the show to launch several important new products, all of which were well received. Perhaps most excitingly, we introduced two new software tools that transform the process of becoming and remaining compliant with ISO 27001.

* Through Vigilant Software, a new joint venture with software house Top Solutions, we introduced vsRisk, an affordable and intuitive tool that transforms the process for performing an ISO 27001-compliant risk assessment. vsRiskTM is a unique, purpose built application that dramatically reduces the time and cost of pursuing ISO 27001 compliance and is compatible with multiple related standards. It is far more straightforward to use than many of the existing risk assessments tools and requires no specialist training – we think it will be particularly useful for mid-sized organisations. It also costs substantially less than other systems, which we know will make sense to any organisation! Bought directly from us it costs only £895.00/US$1,770.60/EUR1,330.35. It is also available from quality resellers at the regular retail price of £995.00.

* Q-Pulse for ISO 27001 is a product we have developed jointly with Gael, which is the UK market leader in compliance management software systems. It combines Gael’s best-selling compliance management technology with our proprietary toolkit for the documentation and process management of the ISO 27001 standard. By automating vital tasks, such as document approvals, and providing easy-to-use audit management tools, the system provides an efficient means for driving ISO 27001 workflows throughout the organisation and ensuring that compliance is upheld.